This document is the inaugural issue of Digital.Report+, a biannual publication exploring ICT developments in Eurasia and their relationship to political, social, and economic factors. The first issue focuses on debates around internet governance and concerns about the internet's fragmentation due to national security policies. It features several opinion pieces and interviews with experts on issues like internet regulation, cybersecurity, and personal data protection in Russia and other post-Soviet states.
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Ruling the Internet: Governance Debates in Eurasia
1. Fragmented Internet:
National Interest or
Human Rights Violation?
United and Undivided:
How to save the
Internet from national
territorialisation
The Contest of Rules:
US, China, Russia Rival
in Setting the Norms of
Behavior in Cyberspace
Ruling the Internet:
Right or Might?
Digital +Report
2.
3. EDITORIALIntroducing Digital.Report+
All Things ICT in Eurasia
Welcome to the inaugural issue of Digital.Report+, a bi-annual English-language
publication exploring the relationship between political, social, and economic factors
and ICT developments in Eurasia. Addressing a global professional audience,
Digital.Report+ bridges a gap that separates one of the most rapidly growing ICT
markets from a global community of business leaders, regulators, investors and scholars.
The first issue of our journal, “Ruling the Internet,” focuses on the future of the global
network. The original vision for the Internet as a unifying communications platform
for free exchange of information, collaboration, and, later, economic growth is coming
under ever greater scrutiny from governments and security services across Eurasia,
and the world. Concerns about the internet’s governance and management are widely
spread. Plans for possible fragmentation into national segments are openly discussed.
Digital.Report+ explores these controversial issues through an interview with Michael
Yakushev, ICANN’s VP of Stakeholder Engagement for Russia, CIS and Eastern Europe,
and opinion pieces from leading Russian experts: Nikolai Dmitrik, a legal expert with
Park Media Group; Alexandra Kulikova, a Cybersecurity Program Coordinator from
the PIR-Centre think tank in Moscow; and Fedor Smirnov, Secretary of the ISOC Russia
chapter.
The first issue also addresses ICT market liberalization in Belarus in an interview with
Igor Sukach, CEO of Atlant Telecom, Belarus’ leading private telecom service provider.
The evolution of personal data regulation by Russian authorities after 1991 is covered in
an essay by Nikolai Dmitrik, Digital.Report’s Senior Scientific Advisor, an expert on the
issue.
To provide its readers with a broad spectrum of information and analysis on ICT,
Digital.Report+ offers a Policy Digest that explains some of the past developments
and future trends in the region, a snapshot of ICT Influencer activity on social media,
engaging infographics, and a policy debate.
We are looking forward to engaging you!
TheSecDev
FOUNDATION
With Support From:
Published-by:
With so much talk about States aiming to
cut off the internet in a bid to control
information, we wanted to reflect the
connection between the real and digital
worlds. The web might be virtual, but it is
still inextricably linked to the physical
space.
Illustrations By: Jesus Rivera
Michael Berk
Managing Editor
Contact:
Michael Berk
Managing Editor
michael.berk@digital.report
@DigitalReportEN
@DigitalReportRU
www.facebook.com/digital.report/
4. Fall 2015
Nikolay Dmitrik
Alexandra Kulikova
Nikolay Dmitrik
ICT Panorama:
Interview:
Social Media Influencers, Trends, and Chatter
from Eurasia.
Jacob Appelbaum
Interview:
Michael Yakushev ICANN Vp
6
Fedor Smirnov Fragmented Internet:
National Interest or Human Rights Violation?
11
United and Undivided:
How to save the Internet from national
territorialisation
14
The Contest of Rules:
US, China, Russia Rival in Setting the Norms
of Behavior in Cyberspace
17
Personal Data:
The Post-Soviet Approach
24
Top 5 Cities for Digital Nomads:
Which are the best cities in the post-Soviet
space to be a digital nomad?
22
Interview:
Igor Sukach
28
Debate:
Are the recent terrorist attacks sufficient
basis for increasing government regulation
of the internet and electronic surveillance of
citizens?
30
32
34
11
24
Digital +Report
ICT Policy Digest
4
Michael Berk Editorial
1 Introducing Digital.Report+All Things ICT in
Eurasia
6. Digital Report+4
ICT Policy Digest
Country Highlights
Membership in the Eurasian
Economic Union, a free trade
agreement between five ex-USSR
states advanced by Russia,
accelerates integration processes within the
country, according to sources. This is likely to
lead to closer cooperation with Russia in the ICT
sector, including the adoption of its information
security paradigm, often manifested in blocking
of sites and regulatory restrictions.
Igor Schegolev, Aide to
the President of Russia,
proposes that foreign
Internet companies pay
taxes in Russia, “in accordance with
international practice.” In the meantime,
Roskomnadzor, Russia’s official media
watchdog agency, temporarily blocks
Reddit, select Wikipedia pages, and
threatens to block Facebook and Twitter.
President of Ukraine Petro
Poroshenko signs the law
on the 4G mobile standard,
to be fully deployed in
2017. Eight carriers already expressed
their interest in using 4G. Meanwhile,
the National Commission for the State
Regulation of Communications and
Informatization proposed legislation to
de-anonymize mobile users by making
it mandatory to register their IDs with the
mobile contracts.
The authorities continue to
block numerous Internet
resources, including
user-generated-content
platforms such as Vimeo, Flickr and
Tumblr, and local news sites that publish
information critical of the government
(Zonakz, Ratel). The pattern of often
extrajudicial blocking demonstrates lack
of transparency and continued disregard
for human rights online. The public
debates regarding the law “On Access
to Information” addressed shortcomings
related to provisions outlining public
access to government information.
The launch of the Cyrillic
domain zone .БЕЛ on 30
September is expected to
cause a significant surge in
public, business and government activities
on the Internet, leading to renewed
relevance of information/cyber security
issues.
Due to the continued
military confrontation
in East Ukraine, the
government pursues
widening of authorities for law enforcement
agencies and curtailing of civic freedoms as
one of the methods in the overall approach
to national security.
The US Department of Justice
blocked bank accounts worth
around $300 million that are
suspected to be part of the
dealings between relatives of the President
of Uzbekistan Islam Karimov and mobile
companies MTS and VimpelCom. The
move is part of the investigation into the
recently exposed corruption in Uzbekistan’s
telecommunication sector.
July August September
The Central Electoral
Commission of Moldova
approved the Declaration of
Information Security Policy,
which contains provisions for increasing
popular trust for and effectiveness of the
elections process in Moldova.
The State Duma, Russia’s lower
house of parliament, approved
the so-called ‘Right to be
Forgotten’ law. From 1 January
2016, Russian citizens will have the right
to demand that search engine companies
remove links that contain false or outdated
information about them.
The government plans
to introduce a number of
draft legislations in the
Fall 2015 dealing among
others with electronic communications,
critical government data infrastructure.
An Action Plan for 2015-2016 focusing
on the development of an ‘information
society’ and information technologies was
adopted as well
The authorities continue
blocking Internet, including
user-generated-content
platforms (see August).
In September, government completed
its public consultations on the draft
legislation regarding Access to Information
(open data).
Due to continued security
problems in the country
the government blocked
social media sites, such as
Facebook, YouTube and Odnoklassniki.
Alternative news sites, such as RFL/RE
remain blocked since August as well.
IGeorgia’s Ministry of
Defense held talks with
counterparts from Estonia
to discuss bilateral
cooperation on cybersecurity. Many
post-Soviet countries rely on Estonia’s
world-renowned expertise in matters of
ICT development.
7. Digital Report+ 5
The Ministry of Interior
unveiled a new police unit
tasked with the investigation
and prevention of cyber
& hi-tech crimes. Molded after US and EU
examples, the unit will also be providing a
real-time support to citizens who became
victims or witnesses of cyber crimes.
According to corporate
and government sources,
the investment into and
development of fixed access
to Internet by ISPs will remain a ‘high priority’
due to faster speeds and greater reliability of
these networks.
The law enforcement
investigation, which included
intercept of suspects’ calls
sanctioned by the President,
and uncovered signs of a widespread
corruption led to the dismissal of the Minister of
Communications and High Technologies.
Internet Service Providers
will be required to guarantee
connection speeds for their
clients. The national regulator
proposed to legislate that the actual speed
cannot fall below 70% of that specified in the
contract.
President of Uzbekistan Islam
Karimov signed the law “On
Electronic Government.”
The legislation outlines the
framework for openness and transparency
of governmental institutions, equal access
of users to e-governance services, as well as
information security.
ICT Policy Digest
October November December
Regulation and Policy
Cybersecurity
Internet Blocking and Surveillance
European Court of Human
Rights gives a legal
appraisal of Russia’s mobile
communication surveillance
practices. ECHR considers them to be in
contradiction with Article 8 of the European
Convention on Human Rights, which provides a
right to respect for one’s “private and family life,
his home and his correspondence.”
The amendments to the Law
“On Combatting Terrorism”
significantly expand powers
of law enforcement agencies,
including legalized blocking of Internet and
telephone system. Periodic blockings of social
media networks, such as Facebook and Twitter,
under the pretext of fight against extremism and
terrorism were common throughout 2015.
Representatives of the Ministry
of Information Technologies
and Communications,
Ministry of Interior, and
Ministry of Defence formed a Working
Group on cybersecurity policy. The WG’s
primary objective is to develop a multi-sector
strategic vision, establish specific priorities
and operational tasks that ensure Moldova’s
cybersecurity.
The Institute of National
Strategic Studies under
the Ministry of Defence
began the development
of a National Cybersecurity Strategy.
Considering the increasing regulation of
Internet content and more frequent blocking
of sites, there is a strong concern regarding
preservation of balance between security
and free access to Internet and information.
After five years of
consultations, Kazakhstan
adopted a new Law on
“Access to Information.”
The law stipulates rights of citizens to obtain
government information, including live
transmission of government proceedings
and management of open data. Also, new
initiatives aimed to improve operations of the
e-commerce sector are expected in the near
future. The Law on E-Commerce will feature
clear definitions of critical terms and specify
consumer rights during purchasing on-line.
In Minsk, countries of
the Commonwealth of
Independent States, a loose
association of nine ex-USSR
republics, sign documents that outline a range
of collaborative measures on countering
cybercrime.
The representatives of mass
media and civil society
submitted a public petition
to the authorities regarding
the fate of many web sites blocked by the
government without due legal process.
Among over 15 sites listed are Reddit, Flickr,
LiveJournal and Fergana News.
8. Digital Report+6
An international lawyer by training, Michael (Mikhail) Yakushev has an extensive and diverse background in Telecom/IT and Internet
Business. He worked as Chief Counsel of Moscow-based branches of multi-national corporations like Orange/Equant, Microsoft, and SAP; he
was also the Head of Legal Service of the Russian Federal Ministry on Telecommunications (2004-2006), and VP of Russian Internet holding
group Mail.Ru.Group. Michael participated in numerous international expert groups on Internet Governance, including G8 DOT-Force, UN
WGIG, and WG on Cross-border Internet of the Council of Europe. He is well-known in the countries of the former USSR for his research
work, articles and books on different legal aspects of Internet Governance.
9. Digital Report+ 7
Michael Yakushev, Internet Corporation for Assigned Names and Numbers (ICANN) Vice President
of Stakeholder Engagement for Russia, Commonwealth of Independent States (CIS) and Eastern
Europe, took the time to answer some of Digital Report’s questions. Mr. Yakushev discusses online
government censorship, ICANN’s role in Internet governance and regulation, and some of the
challenges the World Wide Web will face in the future.
What is your attitude
towards government control
of the Internet and the
blocking of websites? Does
Roskomnadzor (Russian
Federal Service for Supervision
in the Sphere of Telecom,
Information Technologies
and Mass Communications)
act in contradiction with the
constructive approach by ICANN?
As long as government regulations
do not contravene the stability and
technical security requirements of
the Internet, they fall outside the
jurisdiction of ICANN and remain under
state sovereignty. If a country has
Internet access, then de-facto ICANN
has fulfilled its duties there. However,
this raises a crucial question: at what
point do government regulations
start threatening the stability and
security of the Internet? This could
occur when a government blocks an
entire domain zone. This specific issue
opens up a host of potential problems.
Specifically, the attempts of some
countries to keep the distribution of
IP addresses under their jurisdiction.
For example, some players believe
that the distribution of IP addresses
should be done at a national level, just
like phone numbers. However, there
are as many first-level phone codes
as there are sovereign states, slightly
more than 200. Regarding the Internet,
the problem is of an entirely different
scope; there are 10 to the 28th degree
IP addresses in IPv6 protocol. Thus,
we are not talking about a limited
resource which states can distribute.
We are talking about quadrillions of
addresses. We would face serious
conflicts if one registrar occupied
an address area that was claimed by
several others. Such conflicts would
occur if different registrars attempted
to claim the same address. Another
protective layer is the DNS Sec
system, which minimizes attempts
to reset (or “substitute”) domain
names. An organization that regularly
fabricates data about requested
domain names will eventually find itself
blacklisted. Malicious actors will be
disconnected on a technical level if they
are considered a source of malevolent
activity on the network.
Taking into account that the
responsibility for blocking websites
lies with Internet providers, could
they be blacklisted by ICANN and
other organizations responsible for
stability and development of the
Internet?
ICANN cannot sanction providers and
my organization should not be viewed
as an absolute power. There is a whole
range of organizations that are not very
well represented in Eastern Europe
but are actively involved in defining
Internet standards and monitoring their
implementation. These include the
Internet Engineering Task Force (IETF),
the Internet Society (ISOC), and the
Regional Internet Registry (RIPE NCC).
The latter is responsible for distribution
of IP addresses in Europe and is located
in Amsterdam.
ICANN Vice President:
Interview with: Michael Yakushev
The Internet We Know and Want
May Soon Disappear for Good
10. Digital Report+8
By the way, this is a perfect example.
Three quarters of the Netherlands has
been reclaimed from the sea. Residents
constructed dams and created more
land. Importantly, the owner of the
plot of land closest to the sea is solely
responsible for the dam protecting
all the territory behind his land. If the
sea breaches the dam, the owner of
this plot is fully responsible. However,
if he becomes the owner of this plot,
he takes the full responsibility and the
owners of other land plots place their
trust in him. If a breach or another
unfortunate event were to occur, the
other owners would all come to support
him. This is an example of mutual trust
when everyone’s security depends on
the security of one. When the Internet
was conceived and developed as we
know it today, it was based on this
principle of absolute trust. If we were
to remove this principle, the Internet
as we know it would collapse. That
Internet, the one we know and want,
may disappear for good. Internet
freedom is based on mutual trust.
The more actions that undermine
this trust, the more mechanisms for
punishment and containment we need.
But this would be a completely different
Internet.
So is the Internet about to
collapse?
No, it is too early to say. Everything
is very dynamic, even the very idea of
what may and may not be censored
on the Internet. Twenty-five years
ago, one could hardly imagine that
a law against gay propaganda would
be adopted in Russia. At that time,
homosexuality was considered deviant,
denounced both in law and public
opinion. However, in Europe it is
considered a normal sexual behaviour,
even though it is forbidden in other
states. That is why it is very difficult to
have a common international opinion
on the dissemination of information
about sexual minorities.
Thus, the main international issue is
not in reaching consensus about what
should or should not be censored
on the Internet, but in search of the
answer for the following question:
“What should we do so that the current
system remains secure and continues
developing?” There is consensus
on this matter, and I believe that
fears of the collapse of the Internet
are groundless. The number of
connections is increasing, the number
of top-level domains has reached one
thousand, and the total number of
all domain names is in the hundreds
of millions, if not billions. Yes, some
excesses exist on the national level but
the Internet is flexible and able to solve
those problems.
Is it possible to say that cyber
security issues are used as a
political instrument? Do some
states practice what Professor
Anatoly Streltsov contends when
he describes how cyber security
is used as a proxy to increase
control over online content?
Anatoly Streltsov is a well-known
theorist of information law. At the
same time, his position reflects the
position of the majority of Russian
cyber-security officials. From their
point of view, information security is
based on a triad: personal security,
social (business) security, and security
in international relations. In this
theory, state security is tied with
social or business security, while
cyber security becomes a tiny part of
cyber crimes. Most specialists in the
world, especially from Europe and
the USA, do not share this point of
view, proving through their arguments
that what we (Russia. -ed) consider
security is not correct. The arguments
are complex and this is all one can say
about this in brief. Of course, like all
of us in Russia, I personally respect
Mr. Streltsov immensely. Certainly,
security is of high importance, and
this is not the communist epoch
with its opportunities for excesses.
However, security is the underlying
state of stability, which is based
on trust. It is not accidental that I
constantly repeat this. That is why
the more mutual trust we have, the
greater our security. The less trust we
have, the less security and the greater
need for mechanisms to ensure our
security.
That is why Western states practice
a utilitarian approach to cyber
security; one that relies on a set of
measures to provide for the technical
security of the Web and minimizes
the possibility of hacking, data theft,
and so on. Russian officials prefer
to talk about the categories of
information and psychological war,
which is not very well received by
their Western colleagues. They are, in
essence, speaking different languages.
However, technical experts and
computer specialists can define cyber
security very clearly. It is possible
that this may be the reason for many
misunderstandings. Say, when we try
to “push” for something important to
us and foreign opponents provide an
opposing point of view, then we think
- If we were to remove this principle, the Internet as we know it would collapse. -
11. Digital Report+ 9
this is political influence. It is extremely
important to speak the same language
and be able to reach a compromise.
Does ICANN implement programs
to improve cyber security in
Russia and the Commonwealth of
Independent States (CIS)?
Yes, it does. Of course, this is to a
lesser extent in Russia. Our activities
are focused on states with lower levels
of Internet penetration. In Russia, just
like with cyber security, this is not
an issue. Experienced professionals
manage domain zones and registrars. In
this sense, there are no problems with
domain and overall network security in
Russia. As for educational activities in
less-developed states, say in East Asia
and Africa, we have two departments
devoted to this activity. One of them
focuses on security matters and
the other on educating interested
stakeholders, such as law enforcement
and registrars. We would gladly
implement education campaigns in
Belarus if there were a need. However,
our Belarusian colleagues operate on a
perfectly acceptable professional level.
(This interview was conducted by DR’s
Belarusian correspondent. -ed)
Does it make sense to work
with national populations as
a whole? Is the problem of
cyber security considered
multifaceted, depending both
on the professionalism of law
enforcement and the level of
knowledge of civil society?
This is absolutely correct and exactly
what is necessary. However, the
“clients” of ICANN are registers and
registrars and not end users. We teach
our children how to cross a street, what
a traffic light is, and so on. Taking into
account that many children now use
tablets, we should teach them what
and what not to do online. We really
need this education and not only for
children. It should also target teachers
so that they know what to teach and
have more information than children
who largely know how to skirt Internet
controls. Adults must also be taught to
use public services and should feel safe
both online shopping and online banking.
However, protecting citizens is the
responsibility of individual governments.
Moreover, a low level of cyber literacy is
common; there is much work to be done
in Europe, just like in Russia and Belarus.
The investments into cyber
security are massive. Why do these
investments not reach citizens in
the form of knowledge?
Yes, in fact the investments go only into
certified laboratories. Clemenceau said
that “war is too important a matter to
be left to the military.” The military must
win on a tactical level while politicians
and diplomats win on a strategic level.
In other words, we should not leave
decisions as to whether or not to go to
war with the military. They are not able
to make such decisions. In the same
manner, the responsibility for decisions
in security domain must not reside
within offices that have a particularly
special or narrow professional approach
to the issue. In Russia, for example, some
offices are responsible for the protection
of private data. Nevertheless, if your
personal data were stolen from a cellular
phone company, the company would
produce thousands of certificates stating
that all their services and systems are
successfully certified and the company is
not responsible. That is it. But your data
is gone.
What might the solution be? Do
we need a new agency to protect
private data?
We need an understanding that the
rights and interests of a citizen are
primary. We have to first think about
protecting user needs and only after that
about technical certifications.
Will cyber security threats increase
in the future? Does it make sense
to take active measures today to
prevent these future risks? What
security problems will present the
largest challenges in the future?
Yes, the probability of new risks
increases with time. The main challenge
is that a new generation is growing
up, a generation that is much more
comfortable using computers and
connecting to the Internet. They will be
more creative than our generation and
if we underestimate or misunderstand
this, we will face hacker attacks and
phishing cases of an order of magnitude
greater than today. Imprisoned criminals
in Russia already widely participate in
SMS phishing attacks from their prison
cells, attempting to steal money via their
cell phones. Two years ago, Kaspersky
Laboratory published information
stating that the restrictive online
environment had lowered the initial age
of criminal activities to 13. For a minute,
pretend that the Russian government
restricted Anna Karenina in the country.
(Anna Karenina contains a suicide, the
description of which is illegal in Russia.
-ed) A child trying to find this book
on the Internet while circumventing
government restrictions would sooner
or later come across a proposal to make
some money via criminal activities. He
or she starts down this path and then
we see a sharp increase in cyber crime.
We may lose a whole generation while
the criminal world becomes younger and
more inventive. This is the law of large
numbers in action.
12. 10th
ANNUAL
IISRC CONFERNCE
The SecDev Foundation is a proud
sponsor of the 10th
Annual
International Information Security
Research Consortium Conference
25 - 28 April 2016 • Garmisch-Partenkirchen, Germany
Conference Themes:
Towards a Code of Responsible State Behaviour
in the Information Space
The Applicability of the Geneva Convention to
Cyberspace
PPP & Critical Infrastructure Protection
Effective Extremist Propaganda Counter
Measures
Cyber Weapon Non-Proliferation
Contact administration@digital.report for more info.
13. Digital Report+ 11
Fragmented Internet:
National Interest or Human Rights
Violation?
Fragmentation of the internet, triggered by Snowden’s revelations, is a key issue for internet governance
researchers and practitioners alike. As Professor Milton L. Mueller argued during the 2015 Annenberg-
Oxford Summer Institute, there are two types of fragmentation: unintentional technical incompatibility
and intentional limitations of acc, the latter of which raises concerns in both academic and civil societies.
Today’s internet is generally open, interoperable and unified, but governments across the world strive
towards greater control of the net. Some threats to internet freedom are of a technical nature (threats to
Domain Name System, DNS), others political (internet censorship and blocking), and others still economic
(breakdown peering and transit agreement) and legal (local privacy regimes). Over the past few years,
Russia has taken many steps towards more fragmented internet access, particularly by introducing
blacklists, requiring bloggers registration, and holding discussions about a “disconnected Runet’ (a
scenario when .RU top level domain may be separated from the global DNS).
Fedor Smirnov
Twitter: @ISOC_RU
Fedor Smirnov is the Chief Marketing Officer at Webnames.ru,
an accredited ICANN registrar. He holds a Ph.D. in Linguistics
and Bachelors of Arts degrees in German/English Philosophy
and Financial Management respectively. He is currently a Board
Member and Secretary of the Russian Federation ISOC Chapter.
14. Digital Report+12
field to be “around the construction of the internets role in
the everyday life of its users.”[2] There is a need in Russia
to oppose the state-sponsored framing of the internet and
expand internet imaginaries beyond security threats and
leisure. Global organizations focusing on internet development
(e.g. Internet Society) may need to put forth stronger efforts in
the promotion of core values of an interoperable internet in
Russia. Such initiatives will never be effective without bottom-
up campaigns including e-participation, citizen activism, and
social entrepreneurship that benefit from the global nature of
the internet.
Fragmentation of the internet is supported by state actors
in many countries and requires permanent monitoring and
more attention from media and internet policy researchers.
Data localization proposals, introduced with good intentions
to protect citizens’ personal data from external threats, may
instead just create fragmented, disconnected networks or
“national segments” of the internet. This kind of fragmentation
will devalue core principles of the internet and transform it
from an open communication platform into over-regulated
media space used for national interests, including propaganda
and the violation of human rights.
Russia is not the first country to implement data localization
requirements. Along with countries like Vietnam, Brazil
and India, Western democracies such as Germany, France,
and Canada are heading towards a fragmented internet as
well. Russia’s tendency towards fragmentation resulted in
the Russian Data Localization Law (242-FZ) that took effect
September 1, 2015. The law, which pushes Russia further down
a data localization trajectory, stipulates that digitizedpersonal
data of Russian citizens should be recorded, systematized,
and stored using databases located within national territory.
Websites that break the law will be added to a special
register, which will enable Russian government-controlled
communication regulator Roskomnadzor to block those who
are non-compliant.
While the government claims the Russian Data Localization
Law will guard Russian internet users’ privacy, the law does
not necessarily guarantee better protection of personal data
as it facilitates government access to sensitive information.
New legislation would make operational activity of foreign
companies in Russia more complicated, generating additional
costs and adding new barriers for global players that want to
enter the Russian market. While some consequences of this
law are not clear, data localization goes against underlying
principles of internet openness and negatively affects the
internets resilience and stability in Russia.
At the Annenberg-Oxford Summer Institute, Professor Monroe
Price, Director of the Center for Global Communications
Studies (CGCS), raised a crucial point during a discussion
on fragmentation when he posed the global unfragmented
internet as a human rights issue
In his analysis of internet regulation processes in Russia,
Dr. Gregory Asmolov, a researcher at the London School of
Economics and Political Science, considers the core struggle
for researchers and practitioners in the internet governance
[1] Anupam Chander, Uyen P. Le (2014) Breaking the Web: Data Localization vs. Global
Internet. California International Law Center. Retrieved fromhttp://papers.ssrn.com/sol3/
Delivery.cfm/SSRN_ID2427869_code366600.pdf?abstractid=2407858&mirid=1
[2] Asmolov, G. (2015) Welcoming the Dragon., The Role of Public Opinion in Russian
Internet Regulation. Center for Global Communications Studies. Retrieved from http://
www.global.asc.upenn.edu/publications/welcoming-the-dragon-the-role-of-public-
opinion- in-russian-internet-regulation/
While the government claims the Russian Data
Localization Law will guard Russian internet
users’ privacy, the law does not necessarily
guarantee better protection of personal data
15.
16. Digital Report+14
United and Undivided:
Internet governance has become a frequent topic for discussion, especially in Russia. Since
September of 2014, Russia has hosted two major internal events dedicated to this topic: a
Security Council meeting in September, dedicated to the possibility that Russia could be cut off
from the Internet, and the Russian Internet Governance Forum in April 2015, the main theme of
which was the principle of national sovereignty over the Internet. To avoid states breaking the
Internet into pieces in pursuit of their own interests, it would be best for the global community
to set up an international agreement similar to those regulating the use of the open seas, space,
and Antarctica.
Nikolay Dmitrik
Nikolay.Dmitrik@digital.report
DR’s Senior Scientific Advisor and Head of Legal Consulting ParkMedia Consulting. In 2006-2012,
as an Officer of the Legal Department of the Ministry of Telecom and Mass Communications of the
Russian Federation he took part in the development of legislations on personal data, e-signatures,
e-government services and access to information. Author of more than 40 scientific papers in the
field of ICT regulation.
How to Save the Internet From National
Territorialisation
17. Digital Report+ 15
WHY IS THE INTERNET NOT YET DIVIDED?
It is not that simple. The Internet has another, more global,
side. In the middle of last century, humanity faced the same
question: to divide or not to divide, but at that time we were
talking about open seas, aviation, space, and the Antarctic.
National bodies resolved not to divide these into sections
but rather to create a deterrence mechanism prohibiting any
single country from claiming ownership over a global good.
Currently, the Internet is not divided because its value rests
in its global nature. This is easily visualized via the example
of a lap pool. A community swimming pool is most effective
when used communally by all visitors. Nevertheless, this
effective sharing of a common good would quickly collapse if
several users reserved their lap lanes. Upon seeing the first
reservations, others would immediately follow suit, being
scared they would be left without space to swim if they did not
act.
Internet governance is currently precariously balanced. The
US administration knows it governs the Internet and knows
other governments realize this. However, any attempt to
impose this control would lead to the Internet’s immediate
segmentation, leaving the US in control of Internet only within
its own national borders. Are the steps taken by Washington
sufficient to avoid the division of the Internet? Evidently, no.
HOW DO YOU SEE THE POTENTIAL
REGULATION OF THE INTERNET?
First, we have to recognize that the relationships and needs
of the Internet are in a superposition state. They are neither
solely interstate, nor domestic. Thus, we can determine
whose interests intersect in a specific problem only after we
determine the effects of the problem on a case-by-case basis.
This requires a new governing approach (other than material
law or principles of conflicts of laws), which would allow us
to take into account different sets of national legislation that
touch upon the Internet. In this case, the division into national
segments at the infrastructural level will not create divisions
between countries on a content level.
The Internet deserves a Multilateral Convention and
International Governing Body.
Second, we need a system of checks and balances instead of a
mutually assured destruction. This system must demonstrate
to each state that any attempt to control the global Internet
outside of its borders will lead only to the removal of this
state from the global network. This must apply to every state
without exception.
Third, legal mechanisms could also support limitations that
are already built into the actual technologies of the Internet
themselves, also known as lex informatica. Whatever we say
about Internet decentralization now, the Internet still has a
single governance centre. This is not a problem for a local or
national telecom network. If we are talking about something
with global value, we must remember that the Earth is round
and it does not have a single point on its surface that everyone
agrees to be its centre.
In order to satisfy all sides, we require a multilateral process.
Ideally, it should be a multilateral convention and an
international governing body. The Internet is no less deserving
of these methods than the open seas.
WHY GOVERN THE INTERNET?
The answer to this question evolves from the philosophical
to the deadly serious upon deeper consideration. The level
of Internet penetration, especially within the public offices,
is so high that he who governs Internet, governs the world.
However, there is a problem: no one knows exactly where
attempts to govern the Internet will lead.
Let me illustrate this with the example of VISA and
MasterCard systems in Russia in 2014. As a result of Western
sanctions, both companies stated they would be forced to
discontinue their services for several sanctioned Russian
banks. I participated in the drafting of the Law on the
national payment system from 2007-2012. At that time, the
attempt to create a national payment system to compete
with the international ones fell apart with the argument “why
reinvent the wheel, we already have Visa and MasterCard.”
And now, we have a different reality: Visa and MasterCard
can only continue operating in Russia so long as they do
not exclude sanctioned Russian banks from their services.
Besides that, Russia has moved to create a national electronic
card payment system designed to compete with existing
credit cards.
On the one hand, countries The Internet faces the same
dilemma. For a long time, states did not use Internet
technologies for a significant portion of their day-to-day
work. For Russia, this period ended in 2010. Since then, the
overwhelming introduction of e-government technologies
has significantly raised public-sector dependence on the
Internet. As a result, the issue of Internet governance within
national boundaries has turned into an issue of life and death,
at the national level.
Why specifically mention governance within national
boundaries? At the moment, state sovereignty is
unambiguously superior to the Internet within a country.
States remain states. No one has abolished the principle of
sovereign equality contained within both the Charter of the
United Nations and national constitutions.
But how strong and unequivocal would be a government
answer to the question: should we govern the Internet?
It will obviously answer: “yes, we should govern the internet.”
++ All government work relies extensively upon the
Internet, both internally and externally.
++ From the time of the Internet’s creation, no internal
control mechanisms have been invented (leaving aside
loud declarations which rarely amount to anything)
which protect users from crime, the spread of
illegal information, or simply from the imposition of
unwanted information or views on them.
++ The Internet and information technologies are
becoming increasingly more important for national
economies.
Taking into account these opinions, the Internet is yet
another area where a government must provide order and
support the rule of law. In order to achieve these goals, every
state must demarcate, consider, and protect the Internet
within its own national borders.
18. WANT TO
BE HEARD?
Digital.Report is a bridge between West and
East on all things ICT. We specialize in
facilitating dialogue between parties, advising
on sound public policy choices and delivering
actionable information. We believe in an open
and free Internet.
Contact us today to explore how we can
collaborate on ensuring your message
is heard by the right audience.
Email administration@digital.report.
20. Digital Report+18
on the political good will of all signing parties regarding
information sharing, CERTs and CSIRTs cooperation, and joint
efforts in investigation against at attacks. The current level of
trust in the international arena makes it difficult to imagine
that non-binding principles could act as an effective measure
of restraint for the twenty states-signatories (Belarus, Brazil,
China, Colombia, Egypt, Estonia, France, Germany, Ghana,
Israel, Japan, Kenia, Malaysia, Mexico, Pakistan, Republic of
Korea, Russia, Spain, UK, US) let alone any other aspiring cyber
nations. Though it sets an important precedent for consensus,
this report does not tackle some key issues on bilateral
agendas, which will need individual fine-tuning.
What is most interesting is how some issues, which were not
included in the agreement, are currently addressed. UN GGE is
a consensus platform, and given the long-standing differences
in stances formulated by the most vocal participants (the US,
Russia, China), this reveals the ongoing contest over who sets,
shapes, and interprets international norms, representing the
ultimate manifestation of power in a multipolar world.
Both China and Russia are quite successful in domestic norm
building, which reflects Chinese and Russian authorities’ tough
position on content control and online data sovereignty. In
this regard, the recent research paper, “Benchmarking Public
Demand: Russia’s Appetite For Internet Control,” by the Center
for Global Communications Studies at Annenberg School for
Communication, gives a good sense of the domestic norms
setting success enjoyed by the Russian authorities.
China and Russia have attempted to push these norms at the
international stage for further legitimation, but beyond the
Shanghai Cooperation Organisation (SCO) ‘Code of Conduct
for information security’ their success has been modest until
recently. However, some of the ‘Code of Conduct’ language is
present in the UN GGE report. For instance, clause 26 explores
how states should “[refrain]in their international relations
from the threat or use of force against the territorial integrity
or political independence of any State, or in any other manner
inconsistent with the purposes of the United Nations… and
non-intervention in the internal affairs of other States.”
Clauses 27 and 28 also suggest that state sovereignty and
international norms and principles flowing from sovereignty
apply to states’ conduct on ICT-related activities and to their
jurisdiction over ICT infrastructure within their territory. Still,
in other fora the concept of state sovereignty in cyberspace
remains a stumbling block, as well as what ‘objectionable
content’ implies. The latter is increasingly important to spell
out, as radical groups like ISIS actively use online platforms
for recruitment. This might give an extra opportunity for the
wider acceptance of what up to recently has been qualified as
a ‘domestic norm’ for a number of countries (e.g. taking down
extremist/terrorist content).
As for the US cyber norm promotion, one principle of state
behaviour laid out by the US State Department in May 2015
states that “no country should conduct or support cyber
enabled theft of intellectual property, trade secrets, or other
While the United Nation’s bureaucracy is typically
perceived as ill paced for dynamic ICT governance, in June
2015 a major breakthrough occurred. Representatives
from twenty countries Group of Governmental Experts
(GGE) on Developments in the Field of Information and
Telecommunications in the Context of International Security.
The GGE agreed on a range of non-binding norms for
state behaviour as well as confidence and capacity building
measures in cyberspace – something many were skeptical
about. The agreements, reflected in the report published in
August, outline some important commitments which states
have refused to recognize since the late 1990s when the
Russian Federation started promoting the norm building
process through the creation of the UN GGE.
These include, inter alia, the commitment to not attack
each other’s critical infrastructure and cyber emergency
response systems (CERTs and CSIRTs), to not knowingly allow
illegal third party cyber activity from within their territory,
to carry out due investigation on malicious activity before
counteractions are taken to assist in investigations of cyber
attacks and cyber crime launched from the country’s territory,
and to commit to peaceful use of ICTs as a cornerstone of
peace and security in cyberspace and beyond. Building on the
success of the previous UN GGE in 2013, which acknowledged
the applicability of international law to cyberspace and
encouraged future elaboration of norms and confidence
building measures (CBMs), the current GGE managed to build
upon and agree on some minimum conditions for international
cyber stability.
Since the release of the report, numerous discussions have
focused on the practical implementation of the agreement,
as well as the feasibility of the non-binding norms-based
approach to cyberspace governance in general. While the
agreement is a positive step, the extent to which the given
commitments will actually translate into practice depends
... China and Russia
are quite successful in
domestic norm building,
which reflects Chinese
and Russian authorities’
tough position on content
control and online data
sovereignty...
21. Digital Report+ 19
confidential business information for commercial gain.” It
was not included in the set of norms in final UN GGE report,
which might have contributed to the intention to pursue
the issue on the bilateral level. At the end of August, the
media reported that the US planned to impose sanctions on
Chinese companies and individuals found guilty of commercial
espionage. A related Executive Order, signed back in April
2015, gave the Treasury Department wide authority to employ
economic sanctions against cyber hackers whose actions
have harmed national security. Though not drafted to address
exclusively Chinese offenders, given the long track record of
bilateral tension over the issue, it is viewed as such.
Cyber issues certainly framed the agenda of Chinese President
Xi Jinping’s September 22-25 state visit to the US. A White
House statement released at the end of the state visit,
articulated the two countries’ agreement to not engage in
cyber theft and cooperate on cyber crime issues, a surprise
amid scepticism many have had about cajoling China into any
promises. While this may give an impression that the US cyber
agenda is gaining the upper hand, this is most likely wishful
thinking.
The talks are an interesting carrot and stick exercise.
In addition to the reported US sanctions for intellectual
property cyber theft, ahead of President Xi Jinping’s visit,
sources announced that the US and China are developing
their own cyber deal similar to the China – Russia agreement
signed in May. While the deal would not be regulated by
any international accords both countries are signatories
to, it would echo and reinforce the UN GGE agreement. In
retrospect, this rumoured bilateral pact looks like a Plan B in
case the efforts to settle more urgent cyber theft issue lead
nowhere.
Indeed, Mr. Xi Jinping has been sending mixed messages by
both standing his usual ground on some norms and seemingly
suddenly giving in on others, which he previously refused
to embrace on behalf of his country. In an interview ahead
of his visit to the US he reiterated China’s traditional stance
that “rule of law also applies to the Internet, with the need to
safeguard a country’s sovereignty, security and development
interests as relevant as in the real world.” However, he also
recognized the urgency to fight what his country has been
accused of by admitting that “cyber theft of commercial
secrets and hacking attacks against government networks
are both illegal; such acts are criminal offences and should
...If the US corporate
sector eases on data
disclosure in China, this
could give grounds for
US law enforcement to
request similar access
to data for intelligence
purposes...
22. Digital Report+20
be punished according to law and relevant international
conventions.” Speaking to tech-firms in Seattle, Mr. Xi Jinping
pledged readiness to set up “a high-level joint dialogue
mechanism with the United States to fight cyber crimes,”
pointing out that his government “will not, in whatever
form, engage in commercial theft nor encourage or support
such efforts by anyone.” Coupled with promises to welcome
foreign investment, this appears to be a candid commitment
to stronger bilateral relations, followed by the US-China joint
pledge not to “conduct or knowingly support cyber enabled
theft of intellectual property, including trade secrets or other
confidential business information, with the intent of providing
competitive advantages to companies or commercial sectors,”
which few expected.
Still optimists should not hold their breath due to the non-
binding nature of the US-China talks and UN GGE norms. The
language of the cyber commitment reveals some important
reservations, which leave much room for interpretation in the
future. Along with some other CBMs on timely responses “to
requests for information and assistance concerning malicious
cyber activities” and establishing “a high-level joint dialogue
mechanism on fighting cybercrime and related issues,” the
US-China talks also suggest that the two sides “agree to
cooperate, in a manner consistent with their respective
national laws and relevant international obligations, with
requests to investigate cyber crimes, collect electronic
evidence, and mitigate malicious cyber activity emanating
from their territory.”: The allusion to national laws is a useful
caveat to any future conflicts over lack of cooperation.
Additionally the activity of non-state actors is not addressed,
allowing for deniability of failure to commit.
China must be feeling fairly comfortable with the soft law
solution since, even if US sanctions follow if China does not
honour this US-China commitment, sanctions might backfire.
First, cyber attack attribution is difficult and the accused will
most certainly deny any wrongdoing (as seen with the Sony
Pictures attack). Second, sanctions will deliver a blow to US
companies’ business with China, impacting the thousands
of jobs that rely on these ties. Third, China can retaliate
against the threat of sanctions by pushing US tech firms to
comply with China’s desire for increased control over data
flows. While this could force some US companies to leave
the Chinese market, US tech firms giving China access to
encrypted communications could also have larger implications
for domestic US data access. If the US corporate sector eases
on data disclosure in China, this could give grounds for US law
enforcement to request similar access to data for intelligence
purposes.
This also reveals an interesting interplay between the two
faces of cyber espionage – for intelligence or commercial ends
– representing different perceived threats on both countries’
sides. Since Snowden’s revelations, which ironically were made
public when China and the US last addressed cyber crime
issues face to face, China feels its actions in the cyber sphere
are justified, given the scope of the US cyber intelligence
intrusiveness. The US sees SIGINT efforts as a legitimate
part of any country’s foreign policy. Though the commitment
to non-compromising ICT products with “harmful hidden
functions” features at least in the UN GGE’s set of norms
(even though the verification remains a challenge), IP theft
looks more like a sore point on the bilateral agenda, probably
addressed in a broader context of US-China relations with
inevitable trade-offs.
Unless the US curtails some cyber intelligence, other
incentives must be offered to push the Chinese to make
concessions and embrace more US-promoted norms. In
any case, in its current vague form, which addresses only
governments and does not incorporate none-state actors, the
agreement is a comfortable and symbolic half-step, saving
face for both sides and leaving the door open for further
negotiations.
With the dormant Russia-US cyber deal from 2013 in mind,
there is a triangle of agreements among Russia, China and
the US embedded in the UN GGE accord. Non-interference
with domestic affairs via ICT tools might be more of a priority
for Russia given current geopolitical turmoil despite record
domestic public approval rates. While supporting this norm,
China does not seem to view it as a critical one – a tightly
controlled digital domain is well-preserved in the country and
faces no palpable threat. The US, on the other hand, places
much importance on curtailing commercial cyber espionage.
All three countries are united by the desire to protect their
critical infrastructure against cyber attacks though this most
tangible ‘common denominator’ is less relevant in peacetime.
The struggle will continue in the domain of little or no
normative consensus in cultural, historical and practical terms,
lined with strategic economic bargaining where conceptual
understanding fails.
Non-interference with
domestic affairs via ICT
tools might be more of a
priority for Russia given
current geopolitical turmoil
despite record domestic
public approval rates.
23. LIKE WHAT YOU ARE READING? WE NEED YOU!
Digital.Report+ is a creative vehicle enabling you to reach decision makers.
We seek collaborators, sponsors and partners to launch this publication in
Spring 2016.
Let’s build a strong digital Eurasia together. Contact us at
administration@digital.report!
24. Digital Report+22
Astana
0.90 $
Chisinau
0.59 $
Moscow
0.99 $
Tbilisi
0.82 $
Kiev
0.53 $
SignsStreet
English
Moscow
Astana Kiev
Moscow
Tbilisi
Chisinau Kiev
Astana
Prepare your passport
you will need a visa
No visa required
your visaplease !
1/2LBeer
TOP 5 POST-SOVIET CITIES FOR A DIGITAL NOMAD
Wecomparedavarietyofindependentstatisticstofindthebest.
25. Digital Report+ 23
443 $
Astana
380
$
333$
195$
K
iev
Tbilisi
Chisinau
935 $
Moscow
1 Bedroom
apartment
Tbilisi
Moscow
Astana
ChisinauKiev
42
10
14
11
08
Internet Service
Chisinau#1 MOLDOVA
Chisinau
61Tbilisi
78
Kiev
73
Astana
53Moscow
42
ICT DevelopmentIndex Rating
26. Digital Report+24
PERSONAL DATA:
Protecting privacy in the Soviet Union was not a priority for quite a long time. It was only in 1977 when
Article 56 was included in the new Constitution. The article stands out for being one of the shortest
included in the Constitution consisting of just: “The privacy of citizens, their correspondence, phone
conversations and telegraph communications are protected by law”.
Four years later, a leading Soviet legal scholar, Nikolai Malein, opined after analyzing the status of
citizens’ privacy protection that some of the norms in the legislation might protect certain privacy
aspects, but did so insufficiently and inconsistently. For example, there was no law included forbidding
officials in public offices, enterprises or organizations from sharing private information acquired during
execution of their official duties. Despite Soviet lawyers’ continued insistence that the privacy of citizens
must be protected, the situation persisted until the adoption of the 1993 Constitution of the Russian
Federation. A peculiar anecdote is that this problem appeared to be of greater concern for those scholars
who took part in the Second World War. Having survived the war, with many losing all in the process,
they fought hard for the right of future generations to their own, private world to which the state would
not have direct access.
The Post-Soviet Approach
Nikolay Dmitrik
Nikolay.Dmitrik@digital.report
DR’s Senior Scientific Advisor and Head of Legal Consulting ParkMedia Consulting. In 2006-2012,
as an Officer of the Legal Department of the Ministry of Telecom and Mass Communications of the
Russian Federation he took part in the development of legislations on personal data, e-signatures,
e-government services and access to information. Author of more than 40 scientific papers in the field of
ICT regulation.
27. Digital Report+ 25
Convention. The ratification of the Convention appeared to
be a ‘forced decision’ for Russia. Practice has demonstrated
that European organizations, above all Europol, did not
consider the level of data protection in Russia as adequate and,
therefore, did not share personal data from European sources
requested by Russian law enforcement agencies.
Due to the efforts of another lawyer (and Second World War
veteran), Sergey Alekseev, the contemporary Constitution
of Russia includes two articles devoted to privacy. The
Constitution affirms the protection of privacy, personal
and family secrets, honor and good name for everyone.
Every citizen should enjoy the right to secrecy of their
correspondence, phone conversations, as well as post,
telegraph, and other communications. Similarly, the gathering,
storage, use, and distribution of information about the private
life of a citizen are forbidden without that person’s prior
consent. Public offices, local authorities, and their officials
must provide every citizen with an opportunity to review the
documents and information directly related to their rights and
freedoms, unless there are legal provisions specifying another
approach.
Privacy protection issues were on the rise in the decade
following the adoption of the 1993 Constitution. In addition to
the Constitution, the federal Law on Information was enacted
in 1995, which established the concept of “personal data” and
contained relevant confidentiality provisions. Unfortunately,
the Law also included an absurd (and, thus, never implemented
in practice) stipulation that any private entity, whether an
individual or organization, processing personal data must
obtain a prior license.
Also in 1995, the right to sue for protection of privacy
in a court of law was introduced into the Civil Code.
Notwithstanding these achievements, many other elements
of a comprehensive approach to personal data, such as a
supervisory authority or obligation to notify when processing
personal data, did not emerge until 2005.
In reviewing the cases aimed at protecting privacy from the
late 1990s to the early 2000s, a pattern emerges: If a request
for personal data was perceived as illegitimate, it would be
denied, only to be followed by a court appeal. The courts, upon
reviewing the case, would usually rule in favour of the citizen
protecting their privacy. The original request for information
typically came either from government agencies (e.g., court
bailiffs) or from a private person (e.g., a request from a citizen
to produce a voters’ list). No cases were identified, however,
where the petitioner seeking court protection of their rights
was the same person whose personal information was the
subject of the original request. This may be seen as a trend
- the protection of personal data was a subject of interest
not to the people whose information was requested, but to
the data holders, such as banks, election committees or law
enforcement agencies. This trend eventually determined how
the actual practice has evolved over time. The court disputes
were conducted between the data holders and those who
wished to get access to it, as opposed to data holders and
individuals whose data they possessed.
In 2001, Russia signed the Council of Europe’s “Convention
for the Protection of Individuals with regard to Automatic
Processing of Personal Data.” A Federal Law “On Personal
Data” structured along the similar Directive of the European
Commission was adopted in 2007 to implement the
What follows is a review of the legal framework addressing
specific aspects of personal data protection.
INFORMATION SECURITY
The original text of the Law required controllers and third
parties accessing personal data to ensure confidentiality
of such data, excluding cases where depersonalized or
publicly available data is processed. In reality, the fact that
personal data was considered confidential by default led to a
presumption that it must be kept secret at all times, just like
it is done with secret information in criminal investigations
or official and professional secrets. As a result, controllers
faced strict requirements to ensure security of personal data,
and the Federal Service for Technical and Exports Control
along with the Federal Security Service (FSB, in Russian) were
tasked with supervising their implementation. A detailed list of
measures including by-laws dealing with the use of certified
protection tools, software, and cryptographic means aimed at
ensuring information security was promptly developed.
Soon after the enactment of the Law it became apparent
that the stipulated requirements were too strict. They were
extremely expensive to implement for small businesses (public
notaries, for example) and posed unattainable goals for large
ones, such as airlines. Due to these reasons, a new version of
the Federal Law “On Personal Data” was adopted in 2011. It
Elements forming the Russian personal data legal regime, which
is similar to the EU Directive 95/46/ EC of 24 October 1995:
++ Definition of key terms, such as “controller”, “data subject”
and “processing”;
++ Establishment of the basic principles of personal data
processing;
++ Naming the criteria for making data processing legitimate
(consent of the data subject, performance of a contract, legal
obligation, etc.);
++ Special categories of data (sensitive data), for which special
processing requirements are set;
++ Information to be given to the data subject;
++ The data subject’s right to access data;
++ Limitations for automated individual decisions;
++ Confidentiality of personal data;
++ Controller security obligations when processing personal
data;
++ Supervisory authority on the protection of individuals with
regard to the processing of personal data;
++ Notification obligation;
++ Transfer of personal data to third countries.
28. Digital Report+26
introduced a multi-level classification of security measures in
accordance with varying degrees of potential risks and probability of
resulting consequences. In addition, the special agencies’ supervision
over implementation of these data security measures was narrowed
down to government offices only. Information security stipulations for
all private controllers became de facto recommendations only.
SUPERVISORY AUTHORITY
The Russian public agency authorized to protect the rights of personal
data holders is the Federal Service for Supervision in the Sphere
of Telecom, Information Technologies and Mass Communications
(Roskomnadzor). The agency also oversees Internet service providers
and media, as well as guiding the implementation of blocking websites
that contain illegal information in Russia (the “Internet blacklist”).
The Law provides Roskomnadzor with significant power regarding
supervision over the controllers and their activities related to
personal data. Controllers are required to submit to Roskomnadzor a
notification form consisting of 11 items prior to beginning processing of
personal data. For example, one of such items is called “The overview
of measures used to ensure security of personal data in accordance
with the requirements to protect personal data.” Other items include
description of internal policies regarding data processing, a list of
data categories and so on. Roskomnadzor is authorized to request any
documents or information from the controllers, conduct a review, and
limit their access to personal data or block processing of such data in
the event that any violations of legal requirements have been identified.
In practice, however, this broad authority is quite toothless. According
to Roskomnadzor, there are over 1 million personal data controllers in
Russia, so inspecting each one of them at least once would take nearly
30 years. Moreover, these inspections include only a formal review of
documents to verify whether there is a personal data processing policy
in place, a dedicated officer responsible for data processing has been
appointed, or documents describing security measures meeting the
legal requirements are in place. Roskomnadzor has neither resources
nor sufficient authority - strange as it may seem - to practically audit,
or at least evaluate the security systems in place.
PROTECTION OF DATA SUBJECT’S RIGHTS
The federal law “On Personal Data” is a legal act administrative
in nature. When addressing the rights of a data subject and the
responsibilities of a controller, the law envisages only an administrative
responsibility (fines) for controllers that do not comply with legally
required procedures. Prior to 2011, the previous version of the law
stated in general terms that a personal data subject has the right to
protect their rights and legal interests, including the right to receive
compensation for incurred costs and/or moral damages through the
courts. The author managed to find only three court cases related
to compensation for damages between 2007 and 2011 (all cases were
for moral damages) initiated by personal data subjects. Only in one of
these cases did the court rule in favor of the plaintiff. By comparison,
during the same period, Roskomnadzor examined more than 6,000
administrative complaints related to the violation of personal data
rights.
Since 2011, the Law contains the dedicated provision of compensation
for moral damages inflicted on an individual through the violation of
their rights. As a result, the number of compensation cases has been
Privacy Protection in Russia
09.10.1977
12.12.1993
01.01.1995
19.12.2005
25.07.2011
01.09.2015
20.02.1995
27.07.2006
Article 56 of the USSR Constitution
mentions protection of privacy for
the first time
Articles 23 and 24 of the Russian
Constitution stipulate: the right for
protection of private life, personal and
family secrets; the banning of collection,
storage, use, and distribution of private
information without consent of a person;
the right of any individual to survey the
materials directly related to their rights
and freedoms.
Privacy, as well as personal and
family secrets are included in the list
of non-material values protected by
the Russian Civil Code and can be
defended in courts.
Russia ratifies the Council of Europe
Convention for the Protection of
Individuals with regard to Automatic
Processing of Personal Data (ETS N
108).
Amendments to the Federal Law “On
Personal Data” including: obligatory
requirements to ensure information
security of personal data by state-
owned controllers; a mechanism for
moral damages compensation.
Data localization requirement comes
into effect.
The Federal Law “On Information”
introduces the concept of personal
data and stipulates the requirement for
its confidentiality.
The Federal Law “On Personal Data” is
enacted. The Law contains all elements
comprising a legal regime for protection
of personal data, in line with the EU
Directive.
29. Digital Report+ 27
steadily increasing to over a hundred. The courts often take
the side of individuals, exacting compensation for damages
from banks, bailiffs, or public utilities that distributed or
processed personal data in an illegal manner.
DATA LOCALIZATION
Inspired by the 2014 EU Court of Justice ruling on the
“Right to be forgotten”, the Russian legislature introduced
amendments to the Federal Law “On Personal Data”.
These amendments set forth the legal mechanism for
implementation of court decisions forbidding illegal
processing of personal data. To ensure such activity is
possible, all data must be stored locally. A controller,
therefore, was required to record, systematize, store,
update, or extract personal data of Russian citizens using
databases physically located within the territory of the
Russian Federation. The enactment of these amendments
was postponed by nearly a year. During the consultations
between controllers and Roskomnadzor a common
approach was agreed upon: while the cross-border transfer
of data will not be limited in any way, all organizations
dealing with the personal data of Russian citizens must have
facilities to store such data in Russia. It seems that such an
approach is acceptable for all interested parties since many
leading controllers have already installed or rented storage
servers on Russian soil.
***
Russian legislation dealing with privacy protection has
evolved significantly over the decades, from a single article
in the Soviet Constitution to a fully-fledged legal system of
personal data protection. The main question on the agenda,
however, is still: does this system really protect citizens?
The clunky bureaucratic system based on a European model
is only capable of reproducing paperwork and reports,
creating work for officials, and proving its own value with the
fines it imposes on others for a lack of papers or improper
filing.
Indeed, codifying and systematizing data protection processes
is an important mechanism by itself. One could even progress
to another stage, where the controllers make their employees
learn and understand regulatory documentation. However,
the distinctive feature of the Russian system is that if one
limits itself to examining paper documents only, the whole
process would stop right there and then. In the absence of
court decisions to impose heavy fines on those who break
personal data protection laws in favor of data subjects, the
Russian controllers will remain unmotivated to proactively
protect personal data. As for the data subjects themselves, the
right to protect their personal information has long ago turned
into legal fiction exemplified by the right to press the “I agree”
button.
As in Europe, the Russian controllers have not managed to
find a universal approach combining Big Data technologies
with the principles of personal data protection. Detractors of
the European model are growing louder in their views that
the system is incapable of dealing with this challenge. At
this juncture, however, it is unlikely that a reform of personal
data legislation will take place any time soon. The existing
legislation was adopted not to protect the privacy of citizens,
but to facilitate data sharing with European institutions. As it
stands at the moment, the Russian legal framework fully meets
this objective.
30. Digital Report+28
Belarus could soon be among the top 30 nations on the International Telecommunication Union’s
ICT Development Index, says Igor Sukach, CEO of Atlant Telecom, Belarus’ leading privately
owned ISP.
ISP Market Liberalization
Equals ICT Development in Belarus
Igor SukachInterview with:
31. Digital Report+ 29
To what extent do state
regulators in Belarus consider
the importance of developing the
telecommunications market and
what steps are taken to stimulate
economic growth?
The government understands the necessity
of enhancing the telecommunications
sector as part of Belarus’ broader
informatization agenda. Belarus is
currently 36th on the ICT index, and for
a small country like ours it is a significant
achievement. Undoubtedly, the Ministry
of Communications and Informatization
aims for the country to be among the top
30 nations. The government understands
that it is impossible to build a modern
society without addressing the challenges
of informatization.
The goals, which the government
sets before ISPs, further the country’s
informatization and coincide with private
sector goals. Commercial operators want
to provide as many people as possible
with high-quality Internet access – this is
what generates our revenues. Thus, the
goals of the state and the telecom business
community in Belarus concur, and it’s
already yielding results.
What is the role of foreign
investments into Belarus’
telecommunication sector? Should
domestic investments exceed
foreign ones?
Clients and the telecom sector do not care
where investments come from. Subscribers
are interested in modern services, which
are in high demand everywhere. The
issue is this - there aren’t always enough
financial resources to develop all sectors of
the national economy evenly. So, attracting
foreign investment to Belarus is completely
reasonable. In a healthy economy,
investments first go into the banking
sector, improving the general economic
climate within the country, and then – to
telecommunications.
Atlant Telecom was Belarus’ first
telecom company to attract foreign
investments. What significance has
this had for the company and the
market in general?
In November 2011, the European Bank for
Reconstruction and Development became
the owner of 35% of Atlant Telecom shares.
This was EBRD’s first significant investment
into Belarus’ private telecommunications
market – a new experience not just for
the company, but also the entire telecom
sector. Telecommunications companies
grow and develop rather quickly, so to be
successful they have to attract serious
financial infusions. The easiest way to do it
is to attract a new shareholder-investor.
To fully appreciate the role of foreign
investment, one has to see what Atlant
Telecom was at the time. First and
foremost, we were an ADSL provider, but
we had already begun developing Ethernet
services, which was and remains at the
forefront of the technology’s evolution.
Today, there’s not a single provider in
Belarus that prioritizes ADSL growth.
Thanks to the EBRD’s investments,
we were able to focus on building the
Ethernet network. Within four years of
receiving the investments, our client base
grew ten-fold, from 18,000 to 190,000.
This development is not only highly
regarded by the company’s shareholders,
but is also a significant step forward for
Belarus’ telecommunications market. No
other company in the country has had
comparable levels of growth, which allows
Atlant Telecom to remain the leading
operator of fixed Internet in Belarus.
How effective is the development
of the private data transfer
industry in Belarus? Are private
companies able to realize their
full technological and economic
potential?
For a long time, Belarus’ national operator
[Beltelekom – Ed.] had monopoly over
several areas of the telecommunications
business – for instance, on international
communication channels. Partially, this
remains so even today, although the
monopoly gave way to an oligopoly:
there are now two state-run operators,
Beltelecom and beCloud. In a developed
economy, where demonopolization of the
telecom market took place a while ago, it is
the norm for the national operator to have
a 50-70% share of the market, while their
immediate follower has another 20-40%.
Given that the demonopoliztion of
Beltelecom started late, and is still
underway, their immediate follower,
Atlant Telecom, has only around 5% of the
market. This is why the state monopoly
in Belarus has impeded the speed of
development of telecommunication
companies, especially private ones.
However, demonopolization is ongoing
and we are hopeful about the future.
The telecommunication business is very
capital-intensive, so development will
be slow without foreign investments.
Demonopolization offers the chance of
enticing these investments.
What regulatory measures would
telecom companies in Belarus most
like to see implemented?
In every country, telecommunications are
heavily regulated. The regulations may
be liberal, but they are still in place—and
in every country they are manifested
differently. I can’t say that in Belarus
telecommunications regulations are
necessarily stricter than in other countries.
The main difference in comparison to
Western countries is that in Belarus access
to external communications channels
is not liberalized. If such liberalization
were to take place, it would be a powerful
developmental impulse for the Belarusian
telecommunications sector.
Having said that, the problems that the
industry is experiencing today are due not
only to domestic legislative restrictions.
Macroeconomic issues not unique to
Belarus pose a most acute challenge, too.
I am talking about the ongoing economic
crisis, including the devaluation of the
Euro, as well as the Russian and Belarusian
ruble.
To what extent must
telecommunications services
providers abide by national or
international standards on data
transfer?
I am not aware of any country that has
developed and maintains its own technical
standards for data transfer. There are a
number of international standards that
prescribe certain norms and rules for
all. Yet Belarus, for instance, has specific
requirements for operators. We have
an institution of authorized operators
that provide services to governmental
organs working with state secrets. It is
completely normal for the government
to regulate services, which governmental
organizations use. The state outlines
its requirements and operators decide
whether they conform to these and
whether they are fit to enter a certain
market segment or not.
32. Digital Report+30
THE DEBATE:
Rafal Rohozinski
Co-Founder & CEO of The SecDev Group
and Senior Fellow with the International
Institute for Strategic Studies in London
NO.
It would be a mistake to respond to recent terrorist
acts by focusing on control of the internet as it
is not the only means by which to prevent these
actions. Yes, terrorists use the internet, and quite
efficiently sometimes. Small groups can operate
globally because they can communicate and
send payments across borders. In some cases,
criminal activity online can fund the activities of
these groups. But terrorist groups are ultimately
a small minority. It’s important that police and
other authorities have the ability to practice lawful
intercept as part of normal security practices
designed to detect, track, and deter terrorists —
before they act. But, I believe that traditional police
and intelligence techniques are more important
in identifying groups and individuals than in
monitoring internet traffic. If we recognize that
terrorist groups are interested in changing the way
we live through fear and intimidation, then the
worst thing we could do is to allow them to do so,
which includes diminishing the clear benefits we
derive through the internet. The internet requires
policing, but terrorism is perhaps the least good
reason for imposing greater controls.
Are
the recent
terrorist attacks
sufficient basis for
increasing government
regulation of the internet
and electronic surveillance
of citizens?
33. Digital Report+ 31
Shavkat Sabirov Dmitry Zolotukhin
President of the Internet Association
of Kazakhstan
Director of the Institute of the Post-
Information Society and Principal with
the OSINT.Academy project. Former
Senior Advisor to the Minister of
Information Policy (Ukraine)
NO.
Terrorism and religious extremism are significant
challenges in our country that require constant attention
and effective solutions. And solutions will be found in any
case.
In Kazakhstan, the strengthening of government
regulation over the internet is also a permanent and
ongoing process that began in 2006. This control is
constantly increasing on a global scale. It led to the OSCE
adoption of special measures aimed at improving trust
between countries on cybersecurity matters.
However, electronic surveillance of citizens and active
measures taken to combat terrorism relate to the
professionalism and qualifications of the individual
officials involved. In various countries the approach
differs. In some places, it’s done in an awkward and crude
manner. In others, it is done professionally and without
provoking the public.
NO.
First, most experts in the field consider this path
ineffective and senseless. Even if some terrorist activities
can be monitored, there will always be individuals who
come up with ‘non-trivial solutions’, thus staying out of
sight of security services, whereas all of us will pay the
price of curtailed freedom.
Second, total surveillance will require tremendous
resources, including human resources, to process the
accumulated Big Data very likely leading to human and
system errors. As a result, we’ll again end up with neither
security nor privacy.
Third, introducing increasing surveillance over citizens as
a result of fear means a conceptual victory for terrorism.
As one Ukrainian activist said: “every democracy can be
scared into fascism”.
Lastly, I do not think that the ‘impending loss of privacy”
should be emphasized so much. Soon enough, we will
have technologies that will be able to ‘see’ everyone, so
the dilemma of ‘is it a privacy breach or not’ will cease to
be so prevalent. Things will be accepted by default.
34. Digital Report+32
ICT PANORAMA
Social Media Influencers, Trends, and Chatter
@GovernmentRF
28 Oct 2015
Russia will continue
supporting innovative growth
despite economic challenges
#Medvedev @OpenInnoEN
Russia is home to a massive
Internet audience and some
leading IT corporations, but its
innovative development has
been patchy – and now troubled
by geopolitical tensions.
Government of Russia
@MIP_UA
16 Nov 2015
#новини #міп #мінстець
Телеканал іномовлення
#UATV розширює
мультимедійні можливості...
http://goo.gl/wwf16LUkrainian international
broadcasting channel #UATV
to enhance its multimedia
capacities Ukraine has been developing
an international broadcasting
system in response to Russia’s
foreign media campaign over the
Ukrainian crisis.
Ministry of Information,
Ukraine
Ministry of Communications
and High Technologies starts
special campaign within The
month of improving the quality
of communication services
@AzerbaijanMCHT
21 Nov 2015
Azerbaijan’s impressive record
in ICT development is tainted by
its poor freedom of expression
standards.
Ministry of Communications and
High Technologies, Azerbaijan
@nnikiforov
21 Nov 2015
Попробуйте новую версию
портала #госуслуги
https://beta.gosuslugi.
ru - проверить и оплатить
налоги, штрафы, долги Try the new version of our e-gov
portal beta.gosuslugi.ru – look
up and pay taxes, fines, debtsIn recent years, Russia has
steadily increased the number of
e-government services available
to its citizens, but higher-level
corruption is still a pressing issue.
Nikolay Nikiforov, Minister of
Communications, Russia
35. Digital Report+ 33
Digital must be ‘new normal’
for governments, to stay
relevant, responsive and
accountable in 21st century
@Ansip_EU
01 Dec 2015
Former Prime Minister of Estonia,
a global leader in ICT integration
into society, is now working on
building Europe’s digital future.
Andrus Ansip, European European
Commission Vice-President for
the#DigitalSingleMarket
At first stage about 500 and
in total 2 000 populated areas
will have fast&high-quality
#internet #Georgia
@PrimeMinisterGE
13 Nov 2015
Georgia is among top-scorer for
Internet Freedom across Newly
Independent States – more
affordable access for more people,
however, remains a challenge and
priority.
Prime Minister, Georgia
IGovernment services –
now in one e-system: Wide
implementation of ICT…Uzbekistan with its newly
established Ministry of ICT
Development is committed
to digital progress, yet
authoritarian tendencies often
stand in the way.
@GOVuz
3 Dec 2015
Государственные услуги
— в единой электронной
системе: Широкое
внедрение информационно-
коммуникационных технол...
Government of Uzbekistan
MPs voted in favor of the
proposed international
broadcasting system
Various political forces
overwhelmingly support the
establishment of Ukraine’s
international broadcasting
system to give the country a
voice in global media discourse.
@MIP_UA
4 Nov 2015
#новини #мінстець #МІП :
Депутати проголосували
за систему іномовлення
України в 1МУ читанні http://
goo.gl/iiDwBY
Ministry of Communications,
Ukraine
“...Digital must be ‘new normal’ for
governments, to stay relevant, responsive and
accountable in 21st century...”
36. Digital Report+34
Jacob Appelbaum is an American human rights advocate, hacker, and cybersecurity expert - considers himself part of the “cypherpunk”
generation. A master of encryption, he worked with Julian Assange of WikiLeaks and was among the early recipients of documents revealed
by Edward Snowden. Today, the 32-year-old is waging a war against governments that engage in mass surveillance of their citizens. After US
intelligence agencies began following him closely, Appelbaum left for Germany. A passionate advocate of online privacy, in an interview with
Digital.Report+, Appelbaum speaks against state surveillance and promotes the use of encryption software.
Image: Wikipedia / Tobias Klenze /
37. Digital Report+35
For many years, Appelbaum has been an ambassador for one of the most popular internet
anonymizers, TOR. Created for anonymous communication online, TOR helps users, such as the
WikiLeaks founders, for example, remain incognito. Human rights activists and dissidents all over
the world rely on TOR for the same reason. TOR has a wide range of backers including Google,
the UN Human Rights Committee, the United States and Germany,, as well as individual donors.
State funding of TOR, however, does not curb Appelbaum’s criticism of government approaches
to surveilling their own populations.
Mass Surveillance
Belongs in the Past
Jacob AppelbaumInterview with:
What is TOR and what is its appeal?
TOR is run by a human rights, non-
profit organization that focuses on one
of the most fundamental rights, in our
view – the right to privacy. We produce
free anonymizing software and help
disseminate it to people all over the
world who use our encryption programs.
By using them, you can communicate
and search the Web without the fear of
being monitored and intercepted. TOR
was launched in 2002, and I joined the
project in 2004. It’s hard to tell exactly
how many people use TOR globally, but
we can presume no fewer than dozens
of millions. According to our statistics,
around 3,000,000 people go online daily
via TOR, but these figures are constantly
changing.
Does TOR have competition?
No serious competition. TOR has
many advantages; it’s easy to navigate
and works with all existing operating
systems – iOS, Linux, Windows. We are
continuously perfecting it, and following
the latest technological development
to see what we can apply to ensure
online security for our users. Some
people use a VPN, which is also a great
way to protect your personal data. And
it’s necessary to keep them protected
these days, because potentially anyone
can access them – it’s really not that
difficult to do. The problem is that most
people are not technically savvy. Imagine
a world where we can be – and are –
monitored. If people knew they were
being monitored, many would change
their behavior. So understand this: after
9/11, we are all being surveilled. Every
time you send a text message, or make
a call, or open your browser – it is not
confidential, and it is easy to intercept
your correspondence or conversation.
State surveillance never stops. I worked
with WikiLeaks after 2010, and we had
to suspect everyone because at the time
it felt like everyone was connected to
intelligence services. I can no longer
make a call without thinking that I am
being wiretapped. I lost trust in the
system and intelligence services that
so often act outside the law. And they
don’t inform you that you are under
surveillance or that surveillance has
stopped. Why should I be vulnerable? I
only have one demand for intelligence
services: when you want to surveil me,
please, let me know in advance. Every
time. Then I will be able to challenge
your decision in court, if I find it
unjustified.
TOR secures the transmission of
data, but technologies are always
evolving – is it really that difficult
to decrypt encrypted information?
Yes, in theory, you can decrypt
encrypted correspondence. But, for
one, it is not easy to do from a technical
standpoint, plus it requires a court
warrant. Secondly, TOR challenges the
balance of power by erecting barriers
in the path of those who want to “listen
in” on you. For example, my associates
and I use encryption programs and
live in a world practically free of mass
surveillance.
Perhaps, we should be talking
about limiting mass surveillance,
and not its full removal? Doesn’t it
sometime help to locate criminals?
Where do we draw the line between
security and freedom – especially
these days, when the terrorist
danger is so acute?